Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
Resource
win10v2004-20220812-en
General
-
Target
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
-
Size
314KB
-
MD5
58b95345f410185e54c32e190c9eec43
-
SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2
-
SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
-
SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
SSDEEP
6144:Z0NtY63xjxc2CiyOyo95ULe2dp8f20xzpIdWO9WbVXfP6do6skevD:Z0PYKxOhooLe2DMIdd9WxfPqo6fevD
Malware Config
Signatures
-
Executes dropped EXE 45 IoCs
pid Process 2892 asferror.exe 4792 aadauthhelper.exe 5028 AboveLockAppHost.exe 5020 ActivationManager.exe 2304 AarSvc.exe 2928 ActionCenterCPL.exe 2180 amstream.exe 1928 AnalogCommonProxyStub.exe 224 AcGenral.exe 4240 AcSpecfc.exe 4820 AboveLockAppHost.exe 4472 acledit.exe 4704 audiodev.exe 4740 accessibilitycpl.exe 3148 adprovider.exe 1992 AppxPackaging.exe 4880 AcGenral.exe 2796 AppInstallerPrompt.Desktop.exe 3356 advapi32.exe 2400 ActionCenterCPL.exe 2808 AcXtrnal.exe 2184 AcSpecfc.exe 4160 aeevts.exe 1600 acledit.exe 3720 adsldp.exe 4960 aadauthhelper.exe 4172 aclui.exe 700 AarSvc.exe 4996 acppage.exe 1656 archiveint.exe 4984 accountaccessor.exe 644 aadauthhelper.exe 1764 accessibilitycpl.exe 2352 AboveLockAppHost.exe 404 accountaccessor.exe 3796 aadauthhelper.exe 3924 acledit.exe 4280 aclui.exe 3144 AppIdPolicyEngineApi.exe 2424 ActivationClient.exe 1120 acledit.exe 392 AcLayers.exe 3092 advapi32res.exe 4880 AppIdPolicyEngineApi.exe 956 advapi32res.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2796 netsh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smwcore = "C:\\Windows\\system32\\advapi32res.exe" advapi32res.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\AcGenral.exe AnalogCommonProxyStub.exe File created C:\Windows\SysWOW64\AcSpecfc.exe AcGenral.exe File opened for modification C:\Windows\SysWOW64\aclui.exe aadauthhelper.exe File opened for modification C:\Windows\SysWOW64\AarSvc.exe aclui.exe File opened for modification C:\Windows\SysWOW64\AarSvc.exe ActivationManager.exe File opened for modification C:\Windows\SysWOW64\accessibilitycpl.exe audiodev.exe File created C:\Windows\SysWOW64\adsldp.exe acledit.exe File opened for modification C:\Windows\SysWOW64\adsldp.exe acledit.exe File created C:\Windows\SysWOW64\advapi32.exe AppInstallerPrompt.Desktop.exe File opened for modification C:\Windows\SysWOW64\AcXtrnal.exe ActionCenterCPL.exe File created C:\Windows\SysWOW64\accountaccessor.exe AboveLockAppHost.exe File opened for modification C:\Windows\SysWOW64\ActivationClient.exe AppIdPolicyEngineApi.exe File created C:\Windows\SysWOW64\advapi32res.nls advapi32res.exe File created C:\Windows\SysWOW64\asferror.exe 9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe File created C:\Windows\SysWOW64\amstream.exe ActionCenterCPL.exe File opened for modification C:\Windows\SysWOW64\AnalogCommonProxyStub.exe amstream.exe File opened for modification C:\Windows\SysWOW64\AboveLockAppHost.exe AcSpecfc.exe File opened for modification C:\Windows\SysWOW64\adprovider.exe accessibilitycpl.exe File created C:\Windows\SysWOW64\aeevts.exe AcSpecfc.exe File opened for modification C:\Windows\SysWOW64\archiveint.exe acppage.exe File opened for modification C:\Windows\SysWOW64\aadauthhelper.exe accountaccessor.exe File created C:\Windows\SysWOW64\acledit.exe aadauthhelper.exe File opened for modification C:\Windows\SysWOW64\advapi32res.exe AcLayers.exe File created C:\Windows\SysWOW64\ActionCenterCPL.exe AarSvc.exe File created C:\Windows\SysWOW64\AcXtrnal.exe ActionCenterCPL.exe File opened for modification C:\Windows\SysWOW64\accessibilitycpl.exe aadauthhelper.exe File created C:\Windows\SysWOW64\advapi32res.exe AcLayers.exe File created C:\Windows\SysWOW64\acledit.exe AboveLockAppHost.exe File created C:\Windows\SysWOW64\accessibilitycpl.exe audiodev.exe File created C:\Windows\SysWOW64\ActionCenterCPL.exe advapi32.exe File created C:\Windows\SysWOW64\aadauthhelper.exe adsldp.exe File created C:\Windows\SysWOW64\AboveLockAppHost.exe accessibilitycpl.exe File opened for modification C:\Windows\SysWOW64\acledit.exe aadauthhelper.exe File created C:\Windows\SysWOW64\ActivationClient.exe AppIdPolicyEngineApi.exe File created C:\Windows\SysWOW64\acledit.exe ActivationClient.exe File created C:\Windows\SysWOW64\AcLayers.exe acledit.exe File opened for modification C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe advapi32res.exe File opened for modification C:\Windows\SysWOW64\ActionCenterCPL.exe AarSvc.exe File opened for modification C:\Windows\SysWOW64\acledit.exe AboveLockAppHost.exe File opened for modification C:\Windows\SysWOW64\ActionCenterCPL.exe advapi32.exe File opened for modification C:\Windows\SysWOW64\accountaccessor.exe archiveint.exe File opened for modification C:\Windows\SysWOW64\AboveLockAppHost.exe accessibilitycpl.exe File created C:\Windows\SysWOW64\aclui.exe acledit.exe File created C:\Windows\SysWOW64\adprovider.exe accessibilitycpl.exe File created C:\Windows\SysWOW64\archiveint.exe acppage.exe File created C:\Windows\SysWOW64\aadauthhelper.exe accountaccessor.exe File created C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe advapi32res.exe File opened for modification C:\Windows\SysWOW64\asferror.exe 9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe File opened for modification C:\Windows\SysWOW64\amstream.exe ActionCenterCPL.exe File created C:\Windows\SysWOW64\AnalogCommonProxyStub.exe amstream.exe File created C:\Windows\SysWOW64\AcSpecfc.exe AcXtrnal.exe File created C:\Windows\SysWOW64\acledit.exe aeevts.exe File opened for modification C:\Windows\SysWOW64\aadauthhelper.exe adsldp.exe File created C:\Windows\SysWOW64\AarSvc.exe aclui.exe File created C:\Windows\SysWOW64\accountaccessor.exe archiveint.exe File opened for modification C:\Windows\SysWOW64\AcSpecfc.exe AcGenral.exe File created C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe AcGenral.exe File opened for modification C:\Windows\SysWOW64\advapi32.exe AppInstallerPrompt.Desktop.exe File opened for modification C:\Windows\SysWOW64\acledit.exe aeevts.exe File created C:\Windows\SysWOW64\aadauthhelper.exe accountaccessor.exe File created C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe aclui.exe File created C:\Windows\SysWOW64\AarSvc.exe ActivationManager.exe File created C:\Windows\SysWOW64\accessibilitycpl.exe aadauthhelper.exe File opened for modification C:\Windows\SysWOW64\aclui.exe acledit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe 3092 advapi32res.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 904 9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe Token: SeDebugPrivilege 2892 asferror.exe Token: SeDebugPrivilege 4792 aadauthhelper.exe Token: SeDebugPrivilege 5028 AboveLockAppHost.exe Token: SeDebugPrivilege 5020 ActivationManager.exe Token: SeDebugPrivilege 2304 AarSvc.exe Token: SeDebugPrivilege 2928 ActionCenterCPL.exe Token: SeDebugPrivilege 2180 amstream.exe Token: SeDebugPrivilege 1928 AnalogCommonProxyStub.exe Token: SeDebugPrivilege 224 AcGenral.exe Token: SeDebugPrivilege 4240 AcSpecfc.exe Token: SeDebugPrivilege 4820 AboveLockAppHost.exe Token: SeDebugPrivilege 4472 acledit.exe Token: SeDebugPrivilege 4704 audiodev.exe Token: SeDebugPrivilege 4740 accessibilitycpl.exe Token: SeDebugPrivilege 3148 adprovider.exe Token: SeDebugPrivilege 1992 AppxPackaging.exe Token: SeDebugPrivilege 4880 AcGenral.exe Token: SeDebugPrivilege 2796 AppInstallerPrompt.Desktop.exe Token: SeDebugPrivilege 3356 advapi32.exe Token: SeDebugPrivilege 2400 ActionCenterCPL.exe Token: SeDebugPrivilege 2808 AcXtrnal.exe Token: SeDebugPrivilege 2184 AcSpecfc.exe Token: SeDebugPrivilege 4160 aeevts.exe Token: SeDebugPrivilege 1600 acledit.exe Token: SeDebugPrivilege 3720 adsldp.exe Token: SeDebugPrivilege 4960 aadauthhelper.exe Token: SeDebugPrivilege 4172 aclui.exe Token: SeDebugPrivilege 700 AarSvc.exe Token: SeDebugPrivilege 4996 acppage.exe Token: SeDebugPrivilege 1656 archiveint.exe Token: SeDebugPrivilege 4984 accountaccessor.exe Token: SeDebugPrivilege 644 aadauthhelper.exe Token: SeDebugPrivilege 1764 accessibilitycpl.exe Token: SeDebugPrivilege 2352 AboveLockAppHost.exe Token: SeDebugPrivilege 404 accountaccessor.exe Token: SeDebugPrivilege 3796 aadauthhelper.exe Token: SeDebugPrivilege 3924 acledit.exe Token: SeDebugPrivilege 4280 aclui.exe Token: SeDebugPrivilege 3144 AppIdPolicyEngineApi.exe Token: SeDebugPrivilege 2424 ActivationClient.exe Token: SeDebugPrivilege 1120 acledit.exe Token: SeDebugPrivilege 392 AcLayers.exe Token: SeDebugPrivilege 3092 advapi32res.exe Token: SeDebugPrivilege 4880 AppIdPolicyEngineApi.exe Token: SeDebugPrivilege 956 advapi32res.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 904 wrote to memory of 2892 904 9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe 78 PID 904 wrote to memory of 2892 904 9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe 78 PID 904 wrote to memory of 2892 904 9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe 78 PID 2892 wrote to memory of 4792 2892 asferror.exe 79 PID 2892 wrote to memory of 4792 2892 asferror.exe 79 PID 2892 wrote to memory of 4792 2892 asferror.exe 79 PID 4792 wrote to memory of 5028 4792 aadauthhelper.exe 80 PID 4792 wrote to memory of 5028 4792 aadauthhelper.exe 80 PID 4792 wrote to memory of 5028 4792 aadauthhelper.exe 80 PID 5028 wrote to memory of 5020 5028 AboveLockAppHost.exe 81 PID 5028 wrote to memory of 5020 5028 AboveLockAppHost.exe 81 PID 5028 wrote to memory of 5020 5028 AboveLockAppHost.exe 81 PID 5020 wrote to memory of 2304 5020 ActivationManager.exe 82 PID 5020 wrote to memory of 2304 5020 ActivationManager.exe 82 PID 5020 wrote to memory of 2304 5020 ActivationManager.exe 82 PID 2304 wrote to memory of 2928 2304 AarSvc.exe 83 PID 2304 wrote to memory of 2928 2304 AarSvc.exe 83 PID 2304 wrote to memory of 2928 2304 AarSvc.exe 83 PID 2928 wrote to memory of 2180 2928 ActionCenterCPL.exe 84 PID 2928 wrote to memory of 2180 2928 ActionCenterCPL.exe 84 PID 2928 wrote to memory of 2180 2928 ActionCenterCPL.exe 84 PID 2180 wrote to memory of 1928 2180 amstream.exe 85 PID 2180 wrote to memory of 1928 2180 amstream.exe 85 PID 2180 wrote to memory of 1928 2180 amstream.exe 85 PID 1928 wrote to memory of 224 1928 AnalogCommonProxyStub.exe 86 PID 1928 wrote to memory of 224 1928 AnalogCommonProxyStub.exe 86 PID 1928 wrote to memory of 224 1928 AnalogCommonProxyStub.exe 86 PID 224 wrote to memory of 4240 224 AcGenral.exe 87 PID 224 wrote to memory of 4240 224 AcGenral.exe 87 PID 224 wrote to memory of 4240 224 AcGenral.exe 87 PID 4240 wrote to memory of 4820 4240 AcSpecfc.exe 88 PID 4240 wrote to memory of 4820 4240 AcSpecfc.exe 88 PID 4240 wrote to memory of 4820 4240 AcSpecfc.exe 88 PID 4820 wrote to memory of 4472 4820 AboveLockAppHost.exe 89 PID 4820 wrote to memory of 4472 4820 AboveLockAppHost.exe 89 PID 4820 wrote to memory of 4472 4820 AboveLockAppHost.exe 89 PID 4472 wrote to memory of 4704 4472 acledit.exe 90 PID 4472 wrote to memory of 4704 4472 acledit.exe 90 PID 4472 wrote to memory of 4704 4472 acledit.exe 90 PID 4704 wrote to memory of 4740 4704 audiodev.exe 91 PID 4704 wrote to memory of 4740 4704 audiodev.exe 91 PID 4704 wrote to memory of 4740 4704 audiodev.exe 91 PID 4740 wrote to memory of 3148 4740 accessibilitycpl.exe 92 PID 4740 wrote to memory of 3148 4740 accessibilitycpl.exe 92 PID 4740 wrote to memory of 3148 4740 accessibilitycpl.exe 92 PID 3148 wrote to memory of 1992 3148 adprovider.exe 93 PID 3148 wrote to memory of 1992 3148 adprovider.exe 93 PID 3148 wrote to memory of 1992 3148 adprovider.exe 93 PID 1992 wrote to memory of 4880 1992 AppxPackaging.exe 94 PID 1992 wrote to memory of 4880 1992 AppxPackaging.exe 94 PID 1992 wrote to memory of 4880 1992 AppxPackaging.exe 94 PID 4880 wrote to memory of 2796 4880 AcGenral.exe 95 PID 4880 wrote to memory of 2796 4880 AcGenral.exe 95 PID 4880 wrote to memory of 2796 4880 AcGenral.exe 95 PID 2796 wrote to memory of 3356 2796 AppInstallerPrompt.Desktop.exe 96 PID 2796 wrote to memory of 3356 2796 AppInstallerPrompt.Desktop.exe 96 PID 2796 wrote to memory of 3356 2796 AppInstallerPrompt.Desktop.exe 96 PID 3356 wrote to memory of 2400 3356 advapi32.exe 97 PID 3356 wrote to memory of 2400 3356 advapi32.exe 97 PID 3356 wrote to memory of 2400 3356 advapi32.exe 97 PID 2400 wrote to memory of 2808 2400 ActionCenterCPL.exe 98 PID 2400 wrote to memory of 2808 2400 ActionCenterCPL.exe 98 PID 2400 wrote to memory of 2808 2400 ActionCenterCPL.exe 98 PID 2808 wrote to memory of 2184 2808 AcXtrnal.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe"C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\asferror.exeC:\Windows\system32\asferror.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system322⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\aadauthhelper.exeC:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system323⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\AboveLockAppHost.exeC:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system324⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\ActivationManager.exeC:\Windows\system32\ActivationManager.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system325⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\AarSvc.exeC:\Windows\system32\AarSvc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system326⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\ActionCenterCPL.exeC:\Windows\system32\ActionCenterCPL.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system327⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\amstream.exeC:\Windows\system32\amstream.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system328⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\AnalogCommonProxyStub.exeC:\Windows\system32\AnalogCommonProxyStub.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system329⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\AcGenral.exeC:\Windows\system32\AcGenral.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system3210⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\AcSpecfc.exeC:\Windows\system32\AcSpecfc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system3211⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\AboveLockAppHost.exeC:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system3212⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\acledit.exeC:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system3213⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\audiodev.exeC:\Windows\system32\audiodev.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system3214⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\accessibilitycpl.exeC:\Windows\system32\accessibilitycpl.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system3215⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\adprovider.exeC:\Windows\system32\adprovider.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system3216⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\AppxPackaging.exeC:\Windows\system32\AppxPackaging.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system3217⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\AcGenral.exeC:\Windows\system32\AcGenral.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system3218⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exeC:\Windows\system32\AppInstallerPrompt.Desktop.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system3219⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\advapi32.exeC:\Windows\system32\advapi32.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system3220⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\ActionCenterCPL.exeC:\Windows\system32\ActionCenterCPL.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system3221⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\AcXtrnal.exeC:\Windows\system32\AcXtrnal.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system3222⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\AcSpecfc.exeC:\Windows\system32\AcSpecfc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system3223⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\SysWOW64\aeevts.exeC:\Windows\system32\aeevts.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system3224⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\SysWOW64\acledit.exeC:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system3225⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\adsldp.exeC:\Windows\system32\adsldp.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system3226⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3720 -
C:\Windows\SysWOW64\aadauthhelper.exeC:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system3227⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\SysWOW64\aclui.exeC:\Windows\system32\aclui.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system3228⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\AarSvc.exeC:\Windows\system32\AarSvc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system3229⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\SysWOW64\acppage.exeC:\Windows\system32\acppage.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system3230⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Windows\SysWOW64\archiveint.exeC:\Windows\system32\archiveint.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system3231⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\accountaccessor.exeC:\Windows\system32\accountaccessor.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system3232⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4984 -
C:\Windows\SysWOW64\aadauthhelper.exeC:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system3233⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\SysWOW64\accessibilitycpl.exeC:\Windows\system32\accessibilitycpl.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system3234⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\AboveLockAppHost.exeC:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system3235⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\SysWOW64\accountaccessor.exeC:\Windows\system32\accountaccessor.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system3236⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SysWOW64\aadauthhelper.exeC:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system3237⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\SysWOW64\acledit.exeC:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system3238⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3924 -
C:\Windows\SysWOW64\aclui.exeC:\Windows\system32\aclui.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system3239⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\SysWOW64\AppIdPolicyEngineApi.exeC:\Windows\system32\AppIdPolicyEngineApi.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system3240⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Windows\SysWOW64\ActivationClient.exeC:\Windows\system32\ActivationClient.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system3241⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\SysWOW64\acledit.exeC:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system3242⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\SysWOW64\AcLayers.exeC:\Windows\system32\AcLayers.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system3243⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\SysWOW64\advapi32res.exeC:\Windows\system32\advapi32res.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system3244⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Windows\SysWOW64\AppIdPolicyEngineApi.exeC:\Windows\system32\AppIdPolicyEngineApi.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32 -m3092:C:\Windows\SysWOW64\advapi32res.exe -sC:\Windows\system3245⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Windows\SysWOW64\advapi32res.exe" enable45⤵
- Modifies Windows Firewall
PID:2796
-
-
C:\Windows\SysWOW64\advapi32res.exeC:\Windows\SysWOW64\advapi32res.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32 -w309245⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
-
Filesize
314KB
MD558b95345f410185e54c32e190c9eec43
SHA19701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA2569611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA51241caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd